For a long time the VPS hosting this site was using nginx as its web server.

Why? Because I hated it less than Apache and the Arch Linux wiki had a bunch of configuration I could reference.

Recently I switched to Caddy because HTTP/3.

Masquerading as a real administrator

The box this is running on has very low traffic. Even with that being the case I wanted to make sure that it had a modern and secure configuration.

What did this look like with nginx? Lots of configuration about TLS. This has been vastly improved with Certbot’s somewhat automatic configuration of a reasonable TLS setup but it still was a pain. For example, I wanted to prefer ChaCha20-Poly1305 over AES so that mobile devices would have better performance. This meant I had pass nginx an environment variable to an openssl.conf file. Ugh.

It worked, however, and I was able to have the latest and most secure methods of connection.

And then RFC9114 was published.

nginx has a branch with experimental support, but I didn’t want to use packages from AUR. Recompiling with every update is a chore. So it was time to look for an alternative.

Why even care?

One of the “big reasons” to support HTTP/3 is performance. Realistically, HTTP/3 offers no performance benefits over HTTP/2 for the content being provided on this host.

It is because TLS is non-optional for QUIC. I have always wanted to have the best security settings.


Caddy comes out of the box with support for HTTP/3. It’s an experimental feature in the current release, but support by default was recently merged into the main development branch.

And, after an getting things running (including an embarrassingly long troubleshooting process before I realized that UDP port 443 was being blocked by my firewall) HTTP/3 was a go.

Of course, I wasn’t about to just make HTTP/3 work and call it a day. I hadn’t messed with the TLS configuration save to point Caddy to my certificate and key files. So I ran a TLS test on my server.

Caddy’s default configuration is shockingly good. Only TLS 1.2 and 1.3. Only AES-GCM and ChaCha-Poly1305. EC key exchange only. Automatic redirection to HTTPS. And it prefers ChaCha-Poly1305 on mobile without doing anything. And the ACME client is integrated so I don’t have to run Certbot. Perfect!

I was hesitant to try a new webserver, but Caddy’s defaults are just too good.